[PATCH 5/5] ntoskrnl.exe: Avoid accessing fields of sync objects outside of the sync CS.
Zebediah Figura
z.figura12 at gmail.com
Tue Jan 29 22:01:48 CST 2019
Signed-off-by: Zebediah Figura <z.figura12 at gmail.com>
---
dlls/ntoskrnl.exe/sync.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/dlls/ntoskrnl.exe/sync.c b/dlls/ntoskrnl.exe/sync.c
index 1ab37d13f6..065609117c 100644
--- a/dlls/ntoskrnl.exe/sync.c
+++ b/dlls/ntoskrnl.exe/sync.c
@@ -191,14 +191,14 @@ void WINAPI KeInitializeEvent( PRKEVENT event, EVENT_TYPE type, BOOLEAN state )
*/
LONG WINAPI KeSetEvent( PRKEVENT event, KPRIORITY increment, BOOLEAN wait )
{
- HANDLE handle = event->Header.WaitListHead.Blink;
+ HANDLE handle;
LONG ret;
TRACE("event %p, increment %d, wait %u.\n", event, increment, wait);
EnterCriticalSection( &sync_cs );
ret = InterlockedExchange( &event->Header.SignalState, TRUE );
- if (handle)
+ if ((handle = event->Header.WaitListHead.Blink))
SetEvent( handle );
LeaveCriticalSection( &sync_cs );
@@ -210,14 +210,14 @@ LONG WINAPI KeSetEvent( PRKEVENT event, KPRIORITY increment, BOOLEAN wait )
*/
LONG WINAPI KeResetEvent( PRKEVENT event )
{
- HANDLE handle = event->Header.WaitListHead.Blink;
+ HANDLE handle;
LONG ret;
TRACE("event %p.\n", event);
EnterCriticalSection( &sync_cs );
ret = InterlockedExchange( &event->Header.SignalState, FALSE );
- if (handle)
+ if ((handle = event->Header.WaitListHead.Blink))
ResetEvent( handle );
LeaveCriticalSection( &sync_cs );
@@ -252,7 +252,7 @@ void WINAPI KeInitializeSemaphore( PRKSEMAPHORE semaphore, LONG count, LONG limi
LONG WINAPI KeReleaseSemaphore( PRKSEMAPHORE semaphore, KPRIORITY increment,
LONG count, BOOLEAN wait )
{
- HANDLE handle = semaphore->Header.WaitListHead.Blink;
+ HANDLE handle;
LONG ret;
TRACE("semaphore %p, increment %d, count %d, wait %u.\n",
@@ -260,7 +260,7 @@ LONG WINAPI KeReleaseSemaphore( PRKSEMAPHORE semaphore, KPRIORITY increment,
EnterCriticalSection( &sync_cs );
ret = InterlockedExchangeAdd( &semaphore->Header.SignalState, count );
- if (handle)
+ if ((handle = semaphore->Header.WaitListHead.Blink))
ReleaseSemaphore( handle, count, NULL );
LeaveCriticalSection( &sync_cs );
@@ -285,7 +285,6 @@ void WINAPI KeInitializeMutex( PRKMUTEX mutex, ULONG level )
*/
LONG WINAPI KeReleaseMutex( PRKMUTEX mutex, BOOLEAN wait )
{
- HANDLE handle = mutex->Header.WaitListHead.Blink;
LONG ret;
TRACE("mutex %p, wait %u.\n", mutex, wait);
@@ -294,7 +293,7 @@ LONG WINAPI KeReleaseMutex( PRKMUTEX mutex, BOOLEAN wait )
ret = mutex->Header.SignalState++;
if (!ret && !mutex->Header.WaitListHead.Flink)
{
- CloseHandle( handle );
+ CloseHandle( mutex->Header.WaitListHead.Blink );
mutex->Header.WaitListHead.Blink = NULL;
}
LeaveCriticalSection( &sync_cs );
@@ -330,7 +329,6 @@ void WINAPI KeInitializeTimer( KTIMER *timer )
*/
BOOLEAN WINAPI KeSetTimerEx( KTIMER *timer, LARGE_INTEGER duetime, LONG period, KDPC *dpc )
{
- BOOL manual = timer->Header.Type == TYPE_MANUAL_TIMER;
BOOL ret;
TRACE("timer %p, duetime %s, period %d, dpc %p.\n",
@@ -343,10 +341,12 @@ BOOLEAN WINAPI KeSetTimerEx( KTIMER *timer, LARGE_INTEGER duetime, LONG period,
}
EnterCriticalSection( &sync_cs );
+
ret = timer->Header.Inserted;
timer->Header.Inserted = TRUE;
- timer->Header.WaitListHead.Blink = CreateWaitableTimerW( NULL, manual, NULL );
+ timer->Header.WaitListHead.Blink = CreateWaitableTimerW( NULL, timer->Header.Type == TYPE_MANUAL_TIMER, NULL );
SetWaitableTimer( timer->Header.WaitListHead.Blink, &duetime, period, NULL, NULL, FALSE );
+
LeaveCriticalSection( &sync_cs );
return ret;
--
2.20.1
More information about the wine-devel
mailing list